Cryptographic systems are known in the data processing art. In general, these systems operate by performing an encryption operation on a plaintext input message, using an encryption key and a symmetric key block cipher, producing a cipher-text message. The encrypted message may then be sent over an unreliable and unsecured channel to a receiver that shares the secret key. The receiver of the encrypted message performs a corresponding decryption operation using the same key, to recover the plaintext message. Since the same key is used by both the sender and receiver of the message, the process is referred to as a “symmetric key” process.
In current cryptographic systems, message integrity is controlled using a message authentication code (“MAC”). This is necessary since although the receiver of the ciphertext message can decrypt the ciphertext, the receiver is not assured that the ciphertext was not accidentally or maliciously altered during the ciphertext transmission. Message integrity is thereby ensured by transmitting the ciphertext message with a MAC.
In some applications the data is not encrypted. The two users that are exchanging messages and data, are only interested in authenticating the data. That is, only a MAC is generated on the plaintext, and sent with the plaintext, assuring the receiver that the plaintext being sent is indeed authentic.
In applications concerning data storage, there is actually only one user. For example, a user may want to store data in an unsecured device and later check to determine if the data was not deliberately or accidentally modified. Since the MAC is comparatively a small piece of data relative to the data stored, to prevent stored data modification, the user will store the data and save the MAC in a secure location. When retrieving the data at a later time, the user would regenerate the MAC on the retrieved data, and compare it with the original MAC for authenticity.
There are further situations, in which the data as stored above, or communicated to another user, is updated in an incremental manner. With the exception of a single block, the majority of the data remains the same. It would be prohibitive to recompute the entire MAC each time a block of data is updated. In such a situation, an authentication tree is generated instead of a simple MAC. This type of authentication tree is well known in the art and is referred to as a Merkle Authentication tree.
However, for a total data of n blocks, which can be updated on a block by block basis, the Merkle Authentication tree requires a computation of log(n) block cryptographic operations. Moreover, these log(n) cryptographic operations are inherently sequential and are not abled to be pipelined. That is, the first operation has to finish completely before the second operation can begin.
What is needed is a new class of authentication tree that allows for the log(n) block cryptographic operations to be computed in parallel.